Symptoms

You may experience issues with UDP-dependent network services after you install the Domain Name System (DNS) Server service security update 953230 (MS08-037) and then restart the computer. After security update 953230 is installed, a service that depends on a UDP port may not start on a computer that is running Windows 2000, Windows Server 2003 and Windows Server 2008. This issue occurs if the service has been allocated to the DNS Server service after security update 953230 is installed.

Cause

This issue occurs because the service cannot obtain the port that it requires to function correctly. This issue occurs because of changes to the port allocation in the DNS Service after security update 953230 is installed.

By default, after security update 953230 is installed, the DNS Server service randomly allocates 2,500 ports in the ephemeral port range. This is new behavior that is introduced by this update. A conflict may occur if one of these randomly allocated ports is a port that is used by the conflicting service.

Service conflicts are more likely in multirole servers that offer additional roles including DNS functionality. Because these ports are randomly allocated, these failures can be intermittent.

For example, this conflict can occur in the Windows IPsec Services service. The IPsec Services service uses UDP Port 4500. On DNS servers that also provide IPsec services, port conflicts could prevent the IPsec service from starting.

Workaround

To work around this issue, reserve the UDP port from the ephemeral port range to make sure that the service that depends on the port can start.

For more information about how to reserve ephemeral ports, click the following article number to view the article in the Microsoft Knowledge Base:

812873 How to reserve a range of ephemeral ports on a computer that is running Windows Server 2003 or Windows 2000 Server

For more information about UDP network ports that could potentially come into conflict, click the following article number to view the article in the Microsoft Knowledge Base:

832017 Service overview and network port requirements for the Windows Server system

In the IPsec service example that was mentioned earlier, you could add ports 4500–4500 by using the ReservedPorts registry key.

More Information

Detailed cause

The following is a more detailed explanation of the cause of this issue.

The implementation of the DNS server security update reserves a set of ports when randomizing queries. This design decision was made to address performance concerns for DNS servers that handle and originate a significantly larger number of queries compared to Windows-based clients. The set of reserved ports by the DNS Server is referred to from here onward as a "socket pool."

The default size of the socket pool on Windows-based servers is 2,500 sockets. This size is configurable by modifying the SocketPoolSize registry entry in the following subkey in the registry:

Note The DNS service must be restarted for the changes to the SocketPoolSize registry entry to take effect.

Windows 2000 and Windows Server 2003

Ephemeral port allocation and the MaxUserPort registry entryPorts that are allocated as part of the socket pool are pulled from the set of available ephemeral ports on the server. Ephemeral ports are ephemerally allocated by the TCP/IP stack during "wildcard binds" where the desired originating source port is not specified.

On Windows-based servers, the MaxUserPort registry entry defines the ephemeral port range and defines the highest port number that can be is allocated for ephemeral ports. The MaxUserPort registry entry is in the following subkey in the registry:

Effective ephemeral port range when the value of the MaxUserPort registry entry is set explicitlyIn Windows Server 2003 or in Windows 2000 Server, the value of the MaxUserPort registry entry defines the ephemeral port range. The range is from 1024 to the value that is defined by the MaxUserPort registry entry.

After you install security update 953230 on Windows Server 2003 and down-level platforms, the following conditions are true:

If the value of the MaxUserPort registry entry is set, the ports are allocated randomly from the [1024, MaxUserPort] range.

If the value of the MaxUserPort registry entry is not set, the ports are allocated randomly from the [49152, 65535] range.

Windows Server 2008

Effective ephemeral port rangeEphemeral port allocation occurs in the [49152-65535] port range before you install security update 953230 on Windows Server 2008. This port allocation behavior does not change after you install security update 953230. To view the current ephemeral port range, run the following command:

netsh int <ipv4|ipv6> show dynamicport <tcp|udp>

For more information about this security update and for information about any known issues with specific releases of this software, click the following article number to view the article in the Microsoft Knowledge Base:

929851 The default dynamic port range for TCP/IP has changed in Windows Vista and in Windows Server 2008

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.